In this paper, we present a novel approach to IP traceback - deterministic flow marking (DFM). We evaluate this novel\r\napproach against two well-known IP traceback schemes. These are the probabilistic packet marking (PPM) and the\r\ndeterministic packet marking (DPM) techniques. In order to do so, we analyzed these techniques in detail in terms of\r\ntheir performances and feasibilities on five Internet traces. These traces consist of Darpa 1999 traffic traces, CAIDA\r\nOctober 2012 traffic traces, MAWI December 2012 traffic traces, and Dal2010 traffic traces. We have employed 16\r\nperformance metrics to evaluate their performances. The empirical results show that the novel DFM technique can\r\nreduce the number of marked packets by 91% compared to the DPM, while achieving the same or better\r\nperformance in terms of its ability to trace back the attack. Additionally, DFM provides an optional authentication so\r\nthat a compromised router cannot forge markings of other uncompromised routers. Unlike PPM and DPM that trace\r\nthe attack up to the ingress interface of the edge router close to the attacker, DFM allows the victim to trace the origin\r\nof incorrect or spoofed source addresses up to the attacker node, even if the attack has been originated from a\r\nnetwork behind a network address translation (NAT) server. Our results show that DFM can reach up to approximately\r\n99% traceback rate with no false positives.
Loading....